From patchwork Fri Sep 17 21:56:02 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vladislav Odintsov X-Patchwork-Id: 1529570 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=WKKXQ7c/; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4HB77d6DWHz9sPf for ; Sat, 18 Sep 2021 07:56:13 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 02ABC425B0; Fri, 17 Sep 2021 21:56:10 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X-0C8oyfV0Qk; Fri, 17 Sep 2021 21:56:09 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp4.osuosl.org (Postfix) with ESMTPS id F38C04255A; Fri, 17 Sep 2021 21:56:08 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id A5ECDC000F; Fri, 17 Sep 2021 21:56:08 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 3CF8FC000D for ; Fri, 17 Sep 2021 21:56:07 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 38F45407D7 for ; Fri, 17 Sep 2021 21:56:07 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Authentication-Results: smtp2.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DmWr5omh_SDm for ; Fri, 17 Sep 2021 21:56:06 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) by smtp2.osuosl.org (Postfix) with ESMTPS id A1F5C40172 for ; Fri, 17 Sep 2021 21:56:05 +0000 (UTC) Received: by mail-lf1-x131.google.com with SMTP id x27so38564256lfu.5 for ; Fri, 17 Sep 2021 14:56:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=N2+pYucvOMZLZTd5Ag7nPNXdcaes6YBwgyzCX3JaHXU=; b=WKKXQ7c/+4I6ez7qXoANt1EvXNmHyvJvcj1g15pSpPcVVQoHGBSEv3czyfrFMpvllI XFHxyJO8pmtbeZcLG3cE10wSdviCfdX+dp/Yzz2gwbpd+xpf0D2Q3LMLsuztya7/t2o6 OlrkPs56x6gkh7h2IFE22PxkhkP7lmoeah3qYn+yELuS+bMQPC5jo3xbuQrQqy40PGiY LtQdhkdhv6XoOsVEdNMmRgGFg697LZxSllb5LiOzbzgjsYo1Of4ht4mb0TcP30NwbBgk 4g5RrrlNCV1DzlMO4sLt798hgAp4n4QVETnr1b1hqiVJ7yV9PoMohYJuq+bois90BubD Wj0w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=N2+pYucvOMZLZTd5Ag7nPNXdcaes6YBwgyzCX3JaHXU=; b=DCLXAkeCbWUnI86p52iIui4BhBinRJCnurJMyf6RcbkUBpC79u0xiTeXda8XTb7lYm tJ8fhjembpYXnVH8krqen+o3Ofc8FesWt8UOk+/Dedt/dBVsjYUj2tYXm12LT/5O723t ZIVg9QIgZPg9KiKnlYXIgNeaKBO2hvIij2Ja45E1f8EMMR47kR8XTKfJrKOsZovi9k9t 26CDeAfBBI4UjRCb9+0kB3ZwPgIZ1cWwmRnYp5rPwmGbW4uvBAnR3vLKuOwKT/Q/Znwh cmwsyW6Bv0T1V3X/I6Qezk6f4RU/pqBCPI77vzfq3FR8QC8P9dOtlslBsqWGQ7h3/Qo5 6hZg== X-Gm-Message-State: AOAM5334cMB6fzQ1or5aw7WAqp2T5OEhLIroMzznmC1m4UTQSOx/irs2 Y28Mf2kqkjx3+OFUvF8ugQoMMWxN2hU= X-Google-Smtp-Source: ABdhPJy3aBMUcu8CINff8dWzwX3xh/8x7MFyQwfbrHEEiEj6sSHcL9PiW+A3AgSn5zMho/qhzYDbyw== X-Received: by 2002:ac2:4f8f:: with SMTP id z15mr9541912lfs.361.1631915763381; Fri, 17 Sep 2021 14:56:03 -0700 (PDT) Received: from localhost.localdomain (109-252-131-59.dynamic.spd-mgts.ru. [109.252.131.59]) by smtp.gmail.com with ESMTPSA id j20sm618863lfu.165.2021.09.17.14.56.02 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 17 Sep 2021 14:56:02 -0700 (PDT) From: Vladislav Odintsov To: dev@openvswitch.org Date: Sat, 18 Sep 2021 00:56:02 +0300 Message-Id: <20210917215602.10633-1-odivlad@gmail.com> X-Mailer: git-send-email 2.30.0 MIME-Version: 1.0 Cc: Vladislav Odintsov Subject: [ovs-dev] [PATCH ovn] northd: support HW VTEP with stateful datapath X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" A packet going from HW VTEP device to VIF port when arrives to hypervisor chassis should go through LS ingress pipeline to l2_lkp stage without any match. In l2_lkp stage an output port is determined and then packet passed to LS egress pipeline for futher processing and to VIF port delivery. Prior to this commit a packet, which was received from HW VTEP device was dropped in an LS ingress datapath, where stateful services were defined (ACLs, LBs). To fix this issue we add a special flag-bit which can be used in LS pipelines, to check whether the packet came from HW VTEP devices. In ls_in_pre_acl and ls_in_pre_lb we add new flow with priority 110 to skip such packets. Signed-off-by: Vladislav Odintsov --- northd/northd.c | 14 ++++++++++++++ northd/ovn-northd.8.xml | 29 +++++++++++++++++++++++++++++ northd/ovn_northd.dl | 33 +++++++++++++++++++++++++++++++-- tests/ovn-northd.at | 2 ++ 4 files changed, 76 insertions(+), 2 deletions(-) diff --git a/northd/northd.c b/northd/northd.c index 688a6e4ef..1b84874a7 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -196,6 +196,7 @@ enum ovn_stage { #define REGBIT_LKUP_FDB "reg0[11]" #define REGBIT_HAIRPIN_REPLY "reg0[12]" #define REGBIT_ACL_LABEL "reg0[13]" +#define REGBIT_FROM_RAMP "reg0[14]" #define REG_ORIG_DIP_IPV4 "reg1" #define REG_ORIG_DIP_IPV6 "xxreg1" @@ -5112,6 +5113,11 @@ build_lswitch_input_port_sec_op( if (queue_id) { ds_put_format(actions, "set_queue(%s); ", queue_id); } + + if (!strcmp(op->nbsp->type, "vtep")) { + ds_put_format(actions, REGBIT_FROM_RAMP" = 1; "); + } + ds_put_cstr(actions, "next;"); ovn_lflow_add_with_lport_and_hint(lflows, op->od, S_SWITCH_IN_PORT_SEC_L2, 50, ds_cstr(match), ds_cstr(actions), @@ -5359,6 +5365,10 @@ build_pre_acls(struct ovn_datapath *od, struct hmap *port_groups, "nd || nd_rs || nd_ra || mldv1 || mldv2 || " "(udp && udp.src == 546 && udp.dst == 547)", "next;"); + /* Do not send coming from RAMP switch packets to conntrack. */ + ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 110, + REGBIT_FROM_RAMP" == 1", "next;"); + /* Ingress and Egress Pre-ACL Table (Priority 100). * * Regardless of whether the ACL is "from-lport" or "to-lport", @@ -5463,6 +5473,10 @@ build_pre_lb(struct ovn_datapath *od, struct hmap *lflows, ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, 110, "eth.src == $svc_monitor_mac", "next;"); + /* Do not send coming from RAMP switch packets to conntrack. */ + ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, 110, + REGBIT_FROM_RAMP" == 1", "next;"); + /* Allow all packets to go to next tables by default. */ ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, 0, "1", "next;"); ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, 0, "1", "next;"); diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index eebf0d717..7bb39d2ab 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -262,6 +262,18 @@ logical ports on which port security is not enabled, these advance all packets that match the inport. +
  • + Logical flows for RAMP (controller-vtep) devices are created for each + physical switch. Packets came from such devices hit these flows and set + the 14'th bit of OVS register 0 (REG0[14]) to 1. This regbit indicates + that packet came from RAMP (controller-vtep) device. Later in logical + switch ingress pipeline this register is checked in ls_in_acl_pre and + ls_in_lb_pre stages whether to skip sending packet to conntrack in + ingress pipeline or not. Packets from RAMP devices should go though + ingress pipeline without any flow match till ls_in_l2_lkup stage to + determine output port. Stateful ACLs for coming from RAMP device + packets are checked within logical switch egress pipeline. +

    • @@ -453,6 +465,14 @@ processing.

    +

    + This table has a priority-110 flow with the match + reg0[14] == 1 for all logical switch datapaths to resubmit + traffic to the next table. reg0[14] is the register bit, + which indicates that packet was received from RAMP device. Packets from + RAMP device are handled by ACLs only in Logical Switch egress pipeline. +

    +

    This table also has a priority-110 flow with the match eth.dst == E for all logical switch @@ -512,6 +532,15 @@ configured. We can now add a lflow to drop ct.inv packets.

    +

    + This table has a priority-110 flow with the match + reg0[14] == 1 for all logical switch datapaths to resubmit + traffic to the next table. reg0[14] is the register bit, + which indicates that packet was received from RAMP device. Packets from + RAMP device could be handled by load balancing flows only in Logical + Switch egress pipeline. +

    +

    This table also has a priority-110 flow with the match eth.dst == E for all logical switch diff --git a/northd/ovn_northd.dl b/northd/ovn_northd.dl index 669728497..0202af5dc 100644 --- a/northd/ovn_northd.dl +++ b/northd/ovn_northd.dl @@ -1631,6 +1631,7 @@ function rEGBIT_ACL_HINT_BLOCK() : istring = i"reg0[10]" function rEGBIT_LKUP_FDB() : istring = i"reg0[11]" function rEGBIT_HAIRPIN_REPLY() : istring = i"reg0[12]" function rEGBIT_ACL_LABEL() : istring = i"reg0[13]" +function rEGBIT_FROM_RAMP() : istring = i"reg0[14]" function rEG_ORIG_DIP_IPV4() : istring = i"reg1" function rEG_ORIG_DIP_IPV6() : istring = i"xxreg1" @@ -2070,6 +2071,16 @@ for (&Switch(._uuid = ls_uuid, .has_stateful_acl = true)) { .io_port = None, .controller_meter = None); + /* Do not send coming from RAMP switch packets to conntrack. */ + Flow(.logical_datapath = ls_uuid, + .stage = s_SWITCH_IN_PRE_ACL(), + .priority = 110, + .__match = i"${rEGBIT_FROM_RAMP()} == 1", + .actions = i"next;", + .stage_hint = 0, + .io_port = None, + .controller_meter = None); + /* Ingress and Egress Pre-ACL Table (Priority 100). * * Regardless of whether the ACL is "from-lport" or "to-lport", @@ -2136,6 +2147,16 @@ for (&Switch(._uuid = ls_uuid)) { .io_port = None, .controller_meter = None); + /* Do not send coming from RAMP switch packets to conntrack. */ + Flow(.logical_datapath = ls_uuid, + .stage = s_SWITCH_IN_PRE_LB(), + .priority = 110, + .__match = i"${rEGBIT_FROM_RAMP()} == 1", + .actions = i"next;", + .stage_hint = 0, + .io_port = None, + .controller_meter = None); + /* Allow all packets to go to next tables by default. */ Flow(.logical_datapath = ls_uuid, .stage = s_SWITCH_IN_PRE_LB(), @@ -3361,10 +3382,18 @@ for (&SwitchPort(.lsp = lsp, .sw = sw, .json_name = json_name, .ps_eth_addresses } else { i"inport == ${json_name} && eth.src == {${ps_eth_addresses.join(\" \")}}" } in - var actions = match (pbinding.options.get(i"qdisc_queue_id")) { + var actions = { + var ramp = if (lsp.__type == i"vtep") { + i"${rEGBIT_FROM_RAMP()} = 1; " + } else { + i"" + }; + var queue = match (pbinding.options.get(i"qdisc_queue_id")) { None -> i"next;", Some{id} -> i"set_queue(${id}); next;" - } in + }; + i"${ramp}${queue}" + } in Flow(.logical_datapath = sw._uuid, .stage = s_SWITCH_IN_PORT_SEC_L2(), .priority = 50, diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index 2af3f2096..5de554455 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -3597,6 +3597,7 @@ check_stateful_flows() { table=6 (ls_in_pre_lb ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=6 (ls_in_pre_lb ), priority=110 , match=(ip && inport == "sw0-lr0"), action=(next;) table=6 (ls_in_pre_lb ), priority=110 , match=(nd || nd_rs || nd_ra || mldv1 || mldv2), action=(next;) + table=6 (ls_in_pre_lb ), priority=110 , match=(reg0[[14]] == 1), action=(next;) ]) AT_CHECK([grep "ls_in_pre_stateful" sw0flows | sort], [0], [dnl @@ -3660,6 +3661,7 @@ AT_CHECK([grep "ls_in_pre_lb" sw0flows | sort], [0], [dnl table=6 (ls_in_pre_lb ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=6 (ls_in_pre_lb ), priority=110 , match=(ip && inport == "sw0-lr0"), action=(next;) table=6 (ls_in_pre_lb ), priority=110 , match=(nd || nd_rs || nd_ra || mldv1 || mldv2), action=(next;) + table=6 (ls_in_pre_lb ), priority=110 , match=(reg0[[14]] == 1), action=(next;) ]) AT_CHECK([grep "ls_in_pre_stateful" sw0flows | sort], [0], [dnl